It then suggests that "This is actually a really useful message..." since it tells us which keys to download. It then proceeds to tell the user how to download the keys from a keyserver.

What I don't understand is this: if I have somehow downloaded a compromised file, why would I ever trust the key IDs given when I attempt to verify the file? If the file is compromised, it could be signed with a different key. My understanding of keyservers is that anyone can upload keys, and they keep in sync with each other, and so doing gpg --keyid-format long --keyserver hkp://keyserver.ubuntu.com --recv-keys ... would simply download the wrong key, tell me the file is verified and lure me in to a false sense of security. What have I missed?

From a web of trust point of view, you may find when you receive the key it's signed by other people who you do trust, verifying that the key likely is genuine. In practice this isn't done and you're just verifying that the file has a signature
– TorinMar 24 at 13:30